PBR rules can reference firewall groups, similar to normal firewall rules. However, with the change to `nftables`, these names currently don't resolve in the policy code.
Here's an example for a `network-group`:
```
set firewall group network-group RFC1918 network '192.168.0.0/16'
set firewall group network-group RFC1918 network '10.0.0.0/8'
set firewall group network-group RFC1918 network '172.16.0.0/12'
set policy route BEAR rule 1 destination group network-group RFC1918
commit
```
this fails with
```
[ policy route BEAR ]
Failed to apply policy based routing
[[policy route BEAR]] failed
Commit failed
```
Running `nft -c -f /run/nftables_policy.conf` reveals that the named network group `RFC1918` (which is defined as a variable in `/run/nftables.conf`) is not known:
```
/run/nftables_policy.conf:11:19-27: Error: unknown identifier 'N_RFC1918'
ip daddr $N_RFC1918 counter return comment "BEAR-1"
^^^^^^^^^
```
I am uncertain whether moving all the `define` stuff from `nftables.conf` into a separate file and then including it in `nftables*.conf` would work, but theoretically, it should, e.g. with something like this:
```
#!/usr/sbin/nft -f
# include a single file using an absolute path
include "/run/nftables_define.conf"
```